settingsLogin | Registersettings

[Openstack] [OpenStack][Keystone][OpenStackClient] Switching to admin endpoint mid request, how / why?

0 votes

Hi All,

While intending to direct requests from the openstack client to the public endpoint of my keystone instance, it seems as though after initial authentication the client gives subsequent requests to the admin endpoint. Is there a setting somewhere that I’ve missed either client or server side where the entire request could be done through the public endpoint? My install/config is the all-in-one devstack using master. Absolutely no local changes.

Marked-up copy paste :

timothy_symanczyk@community:~$ source ./becomeDemo.sh

OSUSERDOMAIN_NAME=Default

OSPROJECTNAME=demo

OS_PASSWORD=stack

OSAPIVERSION=3

OSAUTHURL=http://192.168.207.21:5000/

OS_USERNAME=demo

OSPROJECTDOMAIN_NAME=Default

Auth URL explicitly specified as the public :5000 endpoint.

timothy_symanczyk@community:~$ openstack --debug project show demo

DEBUG: openstackclient.shell options: Namespace(authtype='', authurl='http://192.168.207.21:5000/', cacert='', cloud='', debug=True, defaultdomain='default', deferredhelp=False, domainid='', domainname='', endpoint='', identityprovider='', identityproviderurl='', insecure=None, logfile=None, oscomputeapiversion='2', osidentityapiversion='2', osimageapiversion='1', osnetworkapiversion='2', osobjectapiversion='1', osprojectid=None, osprojectname=None, osvolumeapiversion='1', password='stack', projectdomainid='', projectdomainname='Default', projectid='', projectname='demo', regionname='', serviceproviderendpoint='', timing=False, token='', trustid='', url='', userdomainid='', userdomainname='Default', userid='', username='demo', verboselevel=3, verify=None)

DEBUG: openstackclient.shell defaults: {'authtype': 'oscpassword', 'computeapiversion': '2', 'databaseapiversion': '1.0', 'apitimeout': None, 'baremetalapiversion': '1', 'imageapiusetasks': False, 'endpointtype': 'public', 'floatingipsource': 'neutron', 'key': None, 'cacert': None, 'networkapiversion': '2', 'objectapiversion': '1', 'imageapiversion': '1', 'verify': True, 'identityapiversion': '2', 'volumeapiversion': '1', 'cert': None, 'secgroupsource': 'neutron', 'disablevendoragent': {}}

DEBUG: openstackclient.shell cloud cfg: {'authtype': 'oscpassword', 'computeapiversion': '2', 'databaseapiversion': '1.0', 'timing': False, 'networkapiversion': '2', 'objectapiversion': '1', 'imageapiversion': '1', 'verify': True, 'verboselevel': 3, 'regionname': '', 'apitimeout': None, 'baremetalapiversion': '1', 'auth': {'username': 'demo', 'projectname': 'demo', 'tenantname': 'demo', 'userdomainname': 'Default', 'authurl': 'http://192.168.207.21:5000/', 'password': 'stack', 'projectdomainname': 'Default'}, 'defaultdomain': 'default', 'imageapiusetasks': False, 'endpointtype': 'public', 'floatingipsource': 'neutron', 'key': None, 'cacert': None, 'deferredhelp': False, 'identityapiversion': '2', 'volumeapiversion': '1', 'cert': None, 'secgroupsource': 'neutron', 'debug': True, 'disablevendor_agent': {}}

DEBUG: openstackclient.shell compute API version 2, cmd group openstack.compute.v2

DEBUG: openstackclient.shell network API version 2, cmd group openstack.network.v2

DEBUG: openstackclient.shell image API version 1, cmd group openstack.image.v1

DEBUG: openstackclient.shell volume API version 1, cmd group openstack.volume.v1

DEBUG: openstackclient.shell identity API version 2, cmd group openstack.identity.v2

DEBUG: openstackclient.shell objectstore API version 1, cmd group openstack.objectstore.v1

INFO: openstackclient.shell command: project show -> openstackclient.identity.v2_0.project.ShowProject

DEBUG: openstackclient.api.auth Auth plugin osc_password selected

DEBUG: openstackclient.api.auth authtype: oscpassword

INFO: openstackclient.common.clientmanager Using auth plugin: osc_password

DEBUG: openstackclient.common.clientmanager Using parameters {'username': 'demo', 'projectname': 'demo', 'authurl': 'http://192.168.207.21:5000/', 'tenantname': 'demo', 'userdomainname': 'Default', 'password': 'stack', 'projectdomain_name': 'Default'}

DEBUG: openstackclient.common.clientmanager Get auth_ref

DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:5000/ -H "Accept: application/json" -H "User-Agent: python-openstackclient"

INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21

DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 597

DEBUG: keystoneclient.session RESP: [300] content-length: 597 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json

RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.207.21:5000/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.207.21:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to http://192.168.207.21:5000/v3/auth/tokens

DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915

DEBUG: openstackclient.identity.v20.project.ShowProject takeaction(Namespace(columns=[], formatter='table', max_width=0, prefix='', project='demo', variables=[]))

DEBUG: openstackclient.identity.client Instantiating identity client:

DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to http://192.168.207.21:5000/v3/auth/tokens

DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915

Everything above here appears to use the public :5000 endpoint, and then everything after here appears to use the admin :35357 endpoint.

DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/ -H "Accept: application/json" -H "User-Agent: python-openstackclient"

INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21

DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 599

DEBUG: keystoneclient.session RESP: [300] content-length: 599 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json

RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.207.21:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.207.21:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/v2.0/tenants/demo -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"

DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants/demo HTTP/1.1" 403 179

DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=99 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-900925a9-bbe6-4deb-a50c-6d496681503b

RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

DEBUG: keystoneclient.session Request returned failure status: 403

DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"

DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants HTTP/1.1" 403 179

DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=98 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-336ef5dc-1f46-4cde-946a-ba91415b5d57

RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}

DEBUG: keystoneclient.session Request returned failure status: 403

+---------+----------------------------------+

| Field | Value |

+---------+----------------------------------+

| enabled | True |

| id | 20f42190a63c443e9209d2bc576b14e4 |

| name | demo |

+---------+----------------------------------+

DEBUG: openstackclient.shell clean_up ShowProject:

timothy_symanczyk@community:~$

Any help or insight greatly appreciated.

Tim


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
asked Sep 16, 2015 in openstack by Timothy_Symanczyk (400 points)  

1 Response

0 votes

There are a few factors at play here:

1) Your auth_url is unversioned (meaning it doesn't have the dangly bit of /v2.0 or /v3)
2) os-api-version isn't a thing, so it's not even being used (you probably want os-identity-api-version), as a result, osc will use v2.0 keystone APIs

osc noticed you had used a user domain name and project domain name, so it was smart enough to perform a v3 auth request (this is shown with the POST to /v3/auth/tokens)

once you have the token, osc will call the v2.0 APIs for the command (project list), which is only supported on the 'admin' port, by default it's 35357. more info on that here: http://developer.openstack.org/api-ref-identity-admin-v2.html

Basically, I think you really want to set os-identity-api-version instead of os-api-version.

Thanks,

Steve Martinelli
OpenStack Keystone Core

Timothy Symanczyk ---2015/09/16 05:41:35 PM---Hi All, While intending to direct requests from the openstack client to the public endpoint of my ke

From: Timothy Symanczyk Timothy_Symanczyk@symantec.com
To: openstack openstack@lists.openstack.org
Date: 2015/09/16 05:41 PM
Subject: [Openstack] [OpenStack][Keystone][OpenStackClient] Switching to admin endpoint mid request, how / why?

Hi All,

While intending to direct requests from the openstack client to the public endpoint of my keystone instance, it seems as though after initial authentication the client gives subsequent requests to the admin endpoint. Is there a setting somewhere that I’ve missed either client or server side where the entire request could be done through the public endpoint? My install/config is the all-in-one devstack using master. Absolutely no local changes.

Marked-up copy paste :

timothysymanczyk@community:~$ source ./becomeDemo.sh
OS
USERDOMAINNAME=Default
OSPROJECTNAME=demo
OSPASSWORD=stack
OS
APIVERSION=3
OS
AUTHURL=http://192.168.207.21:5000/
OS
USERNAME=demo
OSPROJECTDOMAIN_NAME=Default
Auth URL explicitly specified as the public :5000 endpoint.

timothysymanczyk@community:~$ openstack --debug project show demo
DEBUG: openstackclient.shell options: Namespace(auth
type='', authurl='http://192.168.207.21:5000/', cacert='', cloud='', debug=True, defaultdomain='default', deferredhelp=False, domainid='', domainname='', endpoint='', identityprovider='', identityproviderurl='', insecure=None, logfile=None, oscomputeapiversion='2', osidentityapiversion='2', osimageapiversion='1', osnetworkapiversion='2', osobjectapiversion='1', osprojectid=None, osprojectname=None, osvolumeapiversion='1', password='stack', projectdomainid='', projectdomainname='Default', projectid='', projectname='demo', regionname='', serviceproviderendpoint='', timing=False, token='', trustid='', url='', userdomainid='', userdomainname='Default', userid='', username='demo', verboselevel=3, verify=None)
DEBUG: openstackclient.shell defaults: {'auth
type': 'oscpassword', 'computeapiversion': '2', 'databaseapiversion': '1.0', 'apitimeout': None, 'baremetalapiversion': '1', 'imageapiusetasks': False, 'endpointtype': 'public', 'floatingipsource': 'neutron', 'key': None, 'cacert': None, 'networkapiversion': '2', 'objectapiversion': '1', 'imageapiversion': '1', 'verify': True, 'identityapiversion': '2', 'volumeapiversion': '1', 'cert': None, 'secgroupsource': 'neutron', 'disablevendoragent': {}}
DEBUG: openstackclient.shell cloud cfg: {'auth
type': 'oscpassword', 'computeapiversion': '2', 'databaseapiversion': '1.0', 'timing': False, 'networkapiversion': '2', 'objectapiversion': '1', 'imageapiversion': '1', 'verify': True, 'verboselevel': 3, 'regionname': '', 'apitimeout': None, 'baremetalapiversion': '1', 'auth': {'username': 'demo', 'projectname': 'demo', 'tenantname': 'demo', 'userdomainname': 'Default', 'authurl': 'http://192.168.207.21:5000/', 'password': 'stack', 'projectdomainname': 'Default'}, 'defaultdomain': 'default', 'imageapiusetasks': False, 'endpointtype': 'public', 'floatingipsource': 'neutron', 'key': None, 'cacert': None, 'deferredhelp': False, 'identityapiversion': '2', 'volumeapiversion': '1', 'cert': None, 'secgroupsource': 'neutron', 'debug': True, 'disablevendoragent': {}}
DEBUG: openstackclient.shell compute API version 2, cmd group openstack.compute.v2
DEBUG: openstackclient.shell network API version 2, cmd group openstack.network.v2
DEBUG: openstackclient.shell image API version 1, cmd group openstack.image.v1
DEBUG: openstackclient.shell volume API version 1, cmd group openstack.volume.v1
DEBUG: openstackclient.shell identity API version 2, cmd group openstack.identity.v2
DEBUG: openstackclient.shell objectstore API version 1, cmd group openstack.objectstore.v1
INFO: openstackclient.shell command: project show -> openstackclient.identity.v20.project.ShowProject
DEBUG: openstackclient.api.auth Auth plugin osc
password selected
DEBUG: openstackclient.api.auth authtype: oscpassword
INFO: openstackclient.common.clientmanager Using auth plugin: oscpassword
DEBUG: openstackclient.common.clientmanager Using parameters {'username': 'demo', 'project
name': 'demo', 'authurl': 'http://192.168.207.21:5000/', 'tenantname': 'demo', 'userdomainname': 'Default', 'password': 'stack', 'projectdomainname': 'Default'}
DEBUG: openstackclient.common.clientmanager Get auth_ref
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:5000/ -H "Accept: application/json" -H "User-Agent: python-openstackclient"
INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21
DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 597
DEBUG: keystoneclient.session RESP: [300] content-length: 597 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.207.21:5000/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.207.21:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to http://192.168.207.21:5000/v3/auth/tokens
DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915
DEBUG: openstackclient.identity.v20.project.ShowProject takeaction(Namespace(columns=[], formatter='table', max_width=0, prefix='', project='demo', variables=[]))
DEBUG: openstackclient.identity.client Instantiating identity client:
DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to http://192.168.207.21:5000/v3/auth/tokens
DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915
Everything above here appears to use the public :5000 endpoint, and then everything after here appears to use the admin :35357 endpoint.

DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/ -H "Accept: application/json" -H "User-Agent: python-openstackclient"
INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21
DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 599
DEBUG: keystoneclient.session RESP: [300] content-length: 599 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.207.21:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.207.21:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/v2.0/tenants/demo -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"
DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants/demo HTTP/1.1" 403 179
DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=99 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-900925a9-bbe6-4deb-a50c-6d496681503b
RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: adminrequired (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
DEBUG: keystoneclient.session Request returned failure status: 403
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"
DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants HTTP/1.1" 403 179
DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=98 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-336ef5dc-1f46-4cde-946a-ba91415b5d57
RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: admin
required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}
DEBUG: keystoneclient.session Request returned failure status: 403
+---------+----------------------------------+
| Field | Value |
+---------+----------------------------------+
| enabled | True |
| id | 20f42190a63c443e9209d2bc576b14e4 |
| name | demo |
+---------+----------------------------------+
DEBUG: openstackclient.shell cleanup ShowProject:
timothy
symanczyk@community:~$

Any help or insight greatly appreciated.

Tim_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


responded Sep 17, 2015 by Steve_Martinelli (6,500 points)   1 3 6
...